@prism-d1/cli 1.0.27 → 1.0.28

package/dist/assets/infra/lib/lambda/security-agent-processor.ts

@@ -0,0 +1,231 @@
+import {
+  DynamoDBClient,
+  QueryCommand,
+  ScanCommand,
+} from '@aws-sdk/client-dynamodb';
+import {
+  EventBridgeClient,
+  PutEventsCommand,
+} from '@aws-sdk/client-eventbridge';
+
+const dynamoClient = new DynamoDBClient({});
+const eventBridgeClient = new EventBridgeClient({});
+
+const EVENTS_TABLE = process.env.EVENTS_TABLE!;
+const METADATA_TABLE = process.env.METADATA_TABLE!;
+const EVENT_BUS_NAME = process.env.EVENT_BUS_NAME!;
+
+interface SecurityAgentPayload {
+  findings: Array<{
+    id: string;
+    type: string; // 'design_review' | 'code_review' | 'pen_test'
+    severity: string;
+    cvss?: number;
+    title: string;
+    description: string;
+    category: string;
+    cwe_id?: string;
+    exploit_validated?: boolean;
+    remediation: string;
+    compliance?: string[];
+    repository: string;
+    pr_number?: number;
+    commit_sha?: string;
+    spec_ref?: string;
+    environment?: string;
+    found_at: string;
+  }>;
+}
+
+/**
+ * Processes AWS Security Agent findings.
+ * Normalizes payloads, enriches with PRISM context (team_id, ai_origin),
+ * and emits prism.d1.security.<phase> events to EventBridge.
+ *
+ * Triggered by:
+ * - POST /security-findings (webhook from Security Agent)
+ * - Scheduled poll (15-min fallback for preview)
+ */
+export async function handler(event: any): Promise<any> {
+  // Handle API Gateway events
+  let payload: SecurityAgentPayload;
+  if (event.body) {
+    payload = JSON.parse(typeof event.body === 'string' ? event.body : JSON.stringify(event.body));
+  } else if (event.findings) {
+    payload = event;
+  } else {
+    console.log('No findings in event, skipping');
+    return { statusCode: 200, body: JSON.stringify({ message: 'No findings' }) };
+  }
+
+  console.log(`Processing ${payload.findings.length} Security Agent findings`);
+
+  const entries = [];
+
+  for (const finding of payload.findings) {
+    const phase = normalizePhase(finding.type);
+    const detailType = `prism.d1.security.${phase}`;
+
+    // Enrich with team_id from metadata table
+    const teamId = await lookupTeamId(finding.repository);
+
+    // Enrich with AI origin from commit events
+    const aiOrigin = await lookupAiOrigin(
+      teamId,
+      finding.repository,
+      finding.commit_sha ?? null,
+      finding.pr_number ?? null,
+    );
+
+    const prismEvent = {
+      team_id: teamId,
+      repo: finding.repository,
+      timestamp: finding.found_at,
+      prism_level: 3,
+      metric: {
+        name: 'security_finding',
+        value: 1,
+        unit: 'count',
+      },
+      ai_context: {
+        tool: 'security-agent',
+        model: 'aws-security-agent',
+        origin: aiOrigin,
+      },
+      security_agent_finding: {
+        finding_id: finding.id,
+        phase,
+        severity: finding.severity.toUpperCase(),
+        cvss_score: finding.cvss ?? null,
+        title: finding.title,
+        description: finding.description,
+        category: finding.category,
+        cwe_id: finding.cwe_id ?? null,
+        exploit_validated: finding.exploit_validated ?? false,
+        remediation_guidance: finding.remediation,
+        compliance_mappings: finding.compliance ?? [],
+        ai_origin: aiOrigin,
+        pr_number: finding.pr_number ?? null,
+        commit_sha: finding.commit_sha ?? null,
+        spec_ref: finding.spec_ref ?? null,
+        environment: finding.environment ?? 'unknown',
+        found_at: finding.found_at,
+        remediated_at: null,
+      },
+    };
+
+    entries.push({
+      Source: 'prism.d1.velocity',
+      DetailType: detailType,
+      EventBusName: EVENT_BUS_NAME,
+      Detail: JSON.stringify(prismEvent),
+    });
+  }
+
+  // Emit in batches of 10
+  for (let i = 0; i < entries.length; i += 10) {
+    await eventBridgeClient.send(
+      new PutEventsCommand({ Entries: entries.slice(i, i + 10) }),
+    );
+  }
+
+  console.log(`Emitted ${entries.length} security finding events`);
+
+  return {
+    statusCode: 200,
+    body: JSON.stringify({ message: 'OK', findingsProcessed: entries.length }),
+  };
+}
+
+function normalizePhase(type: string): string {
+  const phaseMap: Record<string, string> = {
+    design_review: 'design_review',
+    code_review: 'code_review',
+    pen_test: 'pen_test',
+    penetration_test: 'pen_test',
+    design: 'design_review',
+    code: 'code_review',
+    pentest: 'pen_test',
+  };
+  return phaseMap[type.toLowerCase()] ?? 'code_review';
+}
+
+async function lookupTeamId(repo: string): Promise<string> {
+  try {
+    // The metadata table has PK=team_id, SK=repo.
+    // We can't query by repo directly without a GSI, so we scan
+    // with a filter. This is acceptable because the metadata table
+    // has one row per team+repo (small table).
+    const result = await dynamoClient.send(
+      new ScanCommand({
+        TableName: METADATA_TABLE,
+        FilterExpression: 'repo = :repo',
+        ExpressionAttributeValues: {
+          ':repo': { S: repo },
+        },
+        Limit: 1,
+      }),
+    );
+
+    if (result.Items && result.Items.length > 0) {
+      return result.Items[0].team_id?.S ?? 'unknown';
+    }
+
+    return 'unknown';
+  } catch {
+    return 'unknown';
+  }
+}
+
+async function lookupAiOrigin(
+  teamId: string,
+  repo: string,
+  commitSha: string | null,
+  prNumber: number | null,
+): Promise<'ai-generated' | 'ai-assisted' | 'human' | 'unknown'> {
+  if (!commitSha && !prNumber) return 'unknown';
+
+  try {
+    // Query recent commit events for this repo to find AI origin
+    const pk = `${teamId}#${repo}`;
+    const now = new Date();
+    const lookback = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000); // 7 days
+
+    const result = await dynamoClient.send(
+      new QueryCommand({
+        TableName: EVENTS_TABLE,
+        KeyConditionExpression: 'pk = :pk AND sk >= :start',
+        FilterExpression: 'detail_type = :dt',
+        ExpressionAttributeValues: {
+          ':pk': { S: pk },
+          ':start': { S: lookback.toISOString() },
+          ':dt': { S: 'prism.d1.commit' },
+        },
+        ScanIndexForward: false, // Most recent first
+        Limit: 20,
+      }),
+    );
+
+    if (result.Items && result.Items.length > 0) {
+      // Count AI vs human commits to determine predominant origin
+      let aiCount = 0;
+      let humanCount = 0;
+      for (const item of result.Items) {
+        const data = JSON.parse(item.data?.S ?? '{}');
+        const origin = data.ai_context?.origin ?? 'human';
+        if (origin === 'ai-generated' || origin === 'ai-assisted') {
+          aiCount++;
+        } else {
+          humanCount++;
+        }
+      }
+      if (aiCount > humanCount) return 'ai-assisted';
+      if (humanCount > aiCount) return 'human';
+    }
+
+    return 'unknown';
+  } catch (err) {
+    console.error('Failed to look up AI origin:', err);
+    return 'unknown';
+  }
+}

package/dist/assets/infra/lib/lambda/security-remediation-tracker.ts

@@ -0,0 +1,120 @@
+import {
+  DynamoDBClient,
+  QueryCommand,
+} from '@aws-sdk/client-dynamodb';
+import {
+  EventBridgeClient,
+  PutEventsCommand,
+} from '@aws-sdk/client-eventbridge';
+
+const dynamoClient = new DynamoDBClient({});
+const eventBridgeClient = new EventBridgeClient({});
+
+const EVENTS_TABLE = process.env.EVENTS_TABLE!;
+const EVENT_BUS_NAME = process.env.EVENT_BUS_NAME!;
+
+interface PrEvent {
+  source: string;
+  'detail-type': string;
+  detail: {
+    team_id: string;
+    repo: string;
+    timestamp: string;
+    ai_context?: { origin: string };
+    pr?: { merged_at?: string; number?: number };
+  };
+}
+
+/**
+ * Triggered by merged PR events.
+ * Queries for open Security Agent findings on this repo,
+ * checks if the PR resolves any, and emits remediation events.
+ */
+export async function handler(event: PrEvent): Promise<void> {
+  const detail = event.detail;
+  const mergedAt = detail.pr?.merged_at ?? detail.timestamp;
+
+  console.log(`Checking for resolved security findings in ${detail.repo}`);
+
+  try {
+    // Query for open security findings on this repo (unremediated)
+    const securityDetailTypes = [
+      'prism.d1.security.design_review',
+      'prism.d1.security.code_review',
+      'prism.d1.security.pen_test',
+    ];
+
+    for (const detailType of securityDetailTypes) {
+      const result = await dynamoClient.send(
+        new QueryCommand({
+          TableName: EVENTS_TABLE,
+          IndexName: 'by-detail-type',
+          KeyConditionExpression: 'detail_type = :dt',
+          ExpressionAttributeValues: {
+            ':dt': { S: detailType },
+          },
+          ScanIndexForward: false,
+          Limit: 50,
+        }),
+      );
+
+      if (!result.Items || result.Items.length === 0) continue;
+
+      for (const item of result.Items) {
+        const data = JSON.parse(item.data?.S ?? '{}');
+        const finding = data.security_agent_finding;
+        if (!finding || finding.remediated_at) continue;
+
+        // Check if finding matches this repo
+        if (data.repo !== detail.repo) continue;
+
+        // Calculate remediation time
+        const foundAt = new Date(finding.found_at);
+        const mergedTime = new Date(mergedAt);
+        const remediationHours = (mergedTime.getTime() - foundAt.getTime()) / (1000 * 60 * 60);
+
+        if (remediationHours < 0) continue; // Finding is newer than PR
+
+        const remediationEvent = {
+          team_id: detail.team_id,
+          repo: detail.repo,
+          timestamp: mergedAt,
+          prism_level: 3,
+          metric: {
+            name: 'security_remediation',
+            value: remediationHours,
+            unit: 'hours',
+          },
+          ai_context: detail.ai_context,
+          security_remediation: {
+            finding_id: finding.finding_id,
+            severity: finding.severity,
+            remediation_time_hours: Math.round(remediationHours * 100) / 100,
+            remediated_by_origin: detail.ai_context?.origin ?? 'unknown',
+            fix_pr_number: detail.pr?.number ?? null,
+            finding_phase: finding.phase,
+          },
+        };
+
+        await eventBridgeClient.send(
+          new PutEventsCommand({
+            Entries: [
+              {
+                Source: 'prism.d1.velocity',
+                DetailType: 'prism.d1.security.remediation',
+                EventBusName: EVENT_BUS_NAME,
+                Detail: JSON.stringify(remediationEvent),
+              },
+            ],
+          }),
+        );
+
+        console.log(
+          `Remediation event: finding ${finding.finding_id} (${finding.severity}) fixed in ${remediationHours.toFixed(1)}h by ${detail.ai_context?.origin ?? 'unknown'}`,
+        );
+      }
+    }
+  } catch (err) {
+    console.error('Failed to track security remediation:', err);
+  }
+}

package/dist/assets/infra/lib/lambda/security-response-automator.ts

@@ -0,0 +1,130 @@
+import {
+  DynamoDBClient,
+  PutItemCommand,
+} from '@aws-sdk/client-dynamodb';
+import {
+  EventBridgeClient,
+  PutEventsCommand,
+} from '@aws-sdk/client-eventbridge';
+
+const dynamoClient = new DynamoDBClient({});
+const eventBridgeClient = new EventBridgeClient({});
+
+const EVENTS_TABLE = process.env.EVENTS_TABLE!;
+const EVENT_BUS_NAME = process.env.EVENT_BUS_NAME!;
+const GUARDRAIL_ID = process.env.GUARDRAIL_ID ?? '';
+
+interface SecurityFindingEvent {
+  source: string;
+  'detail-type': string;
+  detail: {
+    team_id: string;
+    repo: string;
+    timestamp: string;
+    security_agent_finding?: {
+      finding_id: string;
+      phase: string;
+      severity: string;
+      category: string;
+      exploit_validated: boolean;
+      title: string;
+    };
+  };
+}
+
+/**
+ * Auto-responds to critical/high Security Agent findings.
+ * Actions:
+ * 1. Write "security penalty" to events table for eval gate consumption
+ * 2. Emit SecurityCriticalFindingCount metric (triggers alarm)
+ * 3. Log for SNS escalation (SNS topic wired via alarm action)
+ */
+export async function handler(event: SecurityFindingEvent): Promise<void> {
+  const detail = event.detail;
+  const finding = detail.security_agent_finding;
+
+  if (!finding) {
+    console.log('No security_agent_finding in event, skipping');
+    return;
+  }
+
+  const severity = finding.severity.toUpperCase();
+  if (severity !== 'CRITICAL' && severity !== 'HIGH') {
+    console.log(`Finding severity ${severity} does not require automated response`);
+    return;
+  }
+
+  console.log(
+    `CRITICAL/HIGH security finding: ${finding.finding_id} (${severity}) - ${finding.title}`,
+  );
+
+  // 1. Write security penalty record for eval gate consumption
+  const ttl = Math.floor(Date.now() / 1000) + 30 * 24 * 60 * 60; // 30 days
+  try {
+    await dynamoClient.send(
+      new PutItemCommand({
+        TableName: EVENTS_TABLE,
+        Item: {
+          pk: { S: `${detail.team_id}#${detail.repo}` },
+          sk: { S: `penalty#${detail.timestamp}` },
+          detail_type: { S: 'prism.d1.security.penalty' },
+          finding_id: { S: finding.finding_id },
+          data: {
+            S: JSON.stringify({
+              team_id: detail.team_id,
+              repo: detail.repo,
+              finding_id: finding.finding_id,
+              severity,
+              category: finding.category,
+              exploit_validated: finding.exploit_validated,
+              title: finding.title,
+              phase: finding.phase,
+            }),
+          },
+          ttl: { N: ttl.toString() },
+        },
+      }),
+    );
+    console.log(`Security penalty written for finding ${finding.finding_id}`);
+  } catch (err) {
+    console.error('Failed to write security penalty:', err);
+  }
+
+  // 2. Emit critical finding metric (triggers SecurityCriticalFinding alarm)
+  try {
+    const alertEvent = {
+      team_id: detail.team_id,
+      repo: detail.repo,
+      timestamp: detail.timestamp,
+      prism_level: 1,
+      metric: {
+        name: 'SecurityCriticalFindingCount',
+        value: 1,
+        unit: 'count',
+      },
+      security_agent_finding: finding,
+    };
+
+    await eventBridgeClient.send(
+      new PutEventsCommand({
+        Entries: [
+          {
+            Source: 'prism.d1.velocity',
+            DetailType: event['detail-type'],
+            EventBusName: EVENT_BUS_NAME,
+            Detail: JSON.stringify(alertEvent),
+          },
+        ],
+      }),
+    );
+  } catch (err) {
+    console.error('Failed to emit critical finding alert:', err);
+  }
+
+  // 3. Log for operational awareness
+  console.warn(
+    `ACTION REQUIRED: ${severity} security finding in ${detail.repo}: ${finding.title} (${finding.finding_id}). ` +
+      `Phase: ${finding.phase}. Exploit validated: ${finding.exploit_validated}. ` +
+      `Category: ${finding.category}. Guardrail ID: ${GUARDRAIL_ID || 'not configured'}.`,
+  );
+}

package/dist/assets/infra/lib/lambda/spec-to-code-calculator.ts

@@ -0,0 +1,123 @@
+import {
+  DynamoDBClient,
+  QueryCommand,
+} from '@aws-sdk/client-dynamodb';
+import {
+  EventBridgeClient,
+  PutEventsCommand,
+} from '@aws-sdk/client-eventbridge';
+
+const dynamoClient = new DynamoDBClient({});
+const eventBridgeClient = new EventBridgeClient({});
+
+const EVENTS_TABLE = process.env.EVENTS_TABLE!;
+const EVENT_BUS_NAME = process.env.EVENT_BUS_NAME!;
+
+interface PrMergedEvent {
+  source: string;
+  'detail-type': string;
+  detail: {
+    team_id: string;
+    repo: string;
+    timestamp: string;
+    ai_context?: {
+      tool: string;
+      model: string;
+      origin: string;
+    };
+    pr?: {
+      spec_ref?: string;
+      merged_at?: string;
+    };
+  };
+}
+
+/**
+ * Triggered by merged PR events that have a Spec-Ref.
+ * Calculates spec-to-code hours by finding the earliest commit
+ * referencing the same spec and computing the time delta to PR merge.
+ */
+export async function handler(event: PrMergedEvent): Promise<void> {
+  const detail = event.detail;
+  const specRef = detail.pr?.spec_ref;
+
+  if (!specRef) {
+    console.log('No spec reference in PR event, skipping');
+    return;
+  }
+
+  console.log(`Calculating spec-to-code for spec: ${specRef}`);
+
+  // Query for the earliest commit event in this repo that references this spec.
+  // spec_ref is stored as a top-level DynamoDB attribute by the metrics-processor.
+  try {
+    const result = await dynamoClient.send(
+      new QueryCommand({
+        TableName: EVENTS_TABLE,
+        KeyConditionExpression: 'pk = :pk',
+        FilterExpression: 'spec_ref = :spec_ref AND detail_type = :dt',
+        ExpressionAttributeValues: {
+          ':pk': { S: `${detail.team_id}#${detail.repo}` },
+          ':spec_ref': { S: specRef },
+          ':dt': { S: 'prism.d1.commit' },
+        },
+        ScanIndexForward: true, // Oldest first
+        Limit: 1,
+      }),
+    );
+
+    if (!result.Items || result.Items.length === 0) {
+      console.log(`No commit events found referencing spec: ${specRef}`);
+      return;
+    }
+
+    const earliestSpecCommitTime = result.Items[0].sk?.S;
+    if (!earliestSpecCommitTime) {
+      console.log('Could not determine spec commit timestamp');
+      return;
+    }
+
+    const mergedAt = detail.pr?.merged_at ?? detail.timestamp;
+    const specTime = new Date(earliestSpecCommitTime);
+    const mergeTime = new Date(mergedAt);
+    const specToCodeHours = (mergeTime.getTime() - specTime.getTime()) / (1000 * 60 * 60);
+
+    if (specToCodeHours < 0) {
+      console.log('Negative spec-to-code time, likely data issue');
+      return;
+    }
+
+    const specEvent = {
+      team_id: detail.team_id,
+      repo: detail.repo,
+      timestamp: detail.timestamp,
+      prism_level: 3,
+      metric: {
+        name: 'spec_to_code_hours',
+        value: Math.round(specToCodeHours * 100) / 100,
+        unit: 'hours',
+      },
+      ai_context: detail.ai_context,
+      ai_dora: {
+        spec_to_code_hours: Math.round(specToCodeHours * 100) / 100,
+      },
+    };
+
+    await eventBridgeClient.send(
+      new PutEventsCommand({
+        Entries: [
+          {
+            Source: 'prism.d1.velocity',
+            DetailType: 'prism.d1.pr',
+            EventBusName: EVENT_BUS_NAME,
+            Detail: JSON.stringify(specEvent),
+          },
+        ],
+      }),
+    );
+
+    console.log(`Spec-to-code: ${specToCodeHours.toFixed(2)} hours for spec ${specRef}`);
+  } catch (err) {
+    console.error('Failed to calculate spec-to-code hours:', err);
+  }
+}